TL;DR: Shadow AI is spreading faster than most organisations can govern it, and IBM’s 2025 breach research says 63% lacked formal AI guidelines, leaving data, code, and workflows exposed outside intended boundaries. Existing IAM and device controls help, but they do not by themselves create AI governance discipline.
NHIMG editorial — based on content published by JumpCloud: AI governance, shadow AI, and the controls already in place
By the numbers:
- 63% of organizations lacked formal guidelines for managing AI, failing to prevent the use of shadow AI.
Questions worth separating out
Q: How should security teams govern shadow AI without blocking useful adoption?
A: Start by governing access, not by banning tools.
Q: Why do existing IAM controls only partially solve AI governance?
A: IAM decides who can reach a service, but AI governance also has to control what data is submitted and how the service may use it.
Q: What do organisations get wrong about shadow AI risk?
A: They focus on the novelty of AI tools and miss the older control failures underneath them.
Practitioner guidance
- Map all approved AI entry points Inventory which identities, applications, and managed devices are allowed to reach AI services that can process company data.
- Extend conditional access to AI services Apply access rules that consider user role, device posture, and data sensitivity before prompts or files can leave the environment.
- Treat shadow AI as a discovery problem Add endpoint telemetry, browser visibility, and identity logs to find where employees are already using AI tools.
What's in the full article
JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:
- Practical examples of how IAM controls can be applied to approved AI tools without building a new governance stack.
- Device-management tactics for spotting unmanaged endpoints that are already interacting with external AI services.
- The article's broader argument for using existing security controls as the base layer for AI governance.
- How the vendor frames autonomous agents in relation to ordinary AI adoption, which matters if you are separating human use from machine use.
👉 Read JumpCloud's analysis of AI governance, shadow AI, and IAM controls →
AI governance and shadow AI: are existing controls enough?
Explore further
Shadow AI is an identity governance failure before it is an AI problem. The article correctly points to unmanaged adoption, but the deeper issue is that enterprise controls were designed for approved software paths, not for employees creating new data egress routes through third-party models. When the access path is invisible, governance cannot certify what it cannot see. The practitioner conclusion is that AI usage must be brought under identity and device control before policy can mean anything.
A few things that frame the scale:
- 72% of organizations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: How can security teams reduce AI data leakage from managed endpoints?
A: Use device management to restrict which endpoints can access approved AI services, require patching and inventory visibility, and block unmanaged browsers or devices from handling sensitive workflows. The goal is to stop data from leaving through an endpoint that cannot be inspected or governed. That makes containment possible before the prompt is sent.
👉 Read our full editorial: AI governance is exposing the limits of existing IAM controls
Shadow AI is an identity governance failure before it is an AI problem. The article correctly points to unmanaged adoption, but the deeper issue is that enterprise controls were designed for approved software paths, not for employees creating new data egress routes through third-party models. When the access path is invisible, governance cannot certify what it cannot see. The practitioner conclusion is that AI usage must be brought under identity and device control before policy can mean anything.
A few things that frame the scale:
- 72% of organizations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: How can security teams reduce AI data leakage from managed endpoints?
A: Use device management to restrict which endpoints can access approved AI services, require patching and inventory visibility, and block unmanaged browsers or devices from handling sensitive workflows. The goal is to stop data from leaving through an endpoint that cannot be inspected or governed. That makes containment possible before the prompt is sent.
👉 Read our full editorial: AI governance is exposing the limits of existing IAM controls